Re: Secure boot?
"The purpose of the secure boot is to establish a chain of trust from the power ON."
Yes, and it's a very short chain.
" If you, as a root/admin or OEM, install malware which does MITM - UEFI secure boot will not stop you (and it is not even designed to do that)."
This is my point. The chain of trust isn't even long enough to ensure that the OEM OS image is trustworthy.
It might have been a great idea at some time to make a genuinely trustworthy system but if so it was inadequate. For that to happen the boot process would have had to have the capacity to inspect the OS's certificates and if it found any deemed untrustworthy eliminate them or boot into a very restricted mode. Of course many of us might find this sort of behaviour unacceptably intrusive; there's always a trade-off between usability and security.
Alternatively it might have been a marketing ploy to give customers a feeling of security and maybe try to block attempts to load other OSs by establishing a degree of ownership over the hardware.
What it clearly doesn't do is ensure that it the customer at least starts off with a trustworthy machine.
Biting the hand that feeds IT
